We covered Directory Browsing and Spidering by using and solving Challenge 001 in OWASP Hackademic free lab.
The Challenge: Finding a Missing Employee’s Email
The primary goal was to find the email address of a missing employee from a company called “Logistics,” which was suspected of being involved in a human organ smuggling operation. Once found, this email needed to be sent via the company’s internal communication panel to successfully complete the challenge.
Initial Attempts and Discovering a Hidden Path
My first instinct was to try SQL injection to gain access to an admin or transportation panel. However, this approach failed because the credentials weren’t stored in a database like MySQL. This immediately told me I needed to change my strategy.
By carefully examining the web page’s source code, I discovered a hidden path or directory. Accessing this path led me to an internal “secret area” of the company’s website. This was a crucial breakthrough!
Exploring the Internal Site and Using a Spidering Tool
This internal area had various options, including “Expandability,” “Public Services,” and “Main Task.” The “Main Task” section contained the central communication panel I needed to send the email. There was also a “Mailbox” section listing specialty clients, but the target employee’s email wasn’t immediately visible there.
To find the missing employee’s email, I decided to use Burp Suite’s spidering functionality. This tool is excellent for crawling a website and discovering hidden directories and files that might not be linked directly from the main pages.
Locating the Email List and Identifying the Target
The spidering process proved fruitful! It revealed a detailed directory structure, including a “secret area” directory. Within this, I found a file named “mails.text,” which contained a list of client email addresses.
The challenge had given me a key clue: the employee was hired on “Friday the 13th.” By searching through the “mails.text” file, I quickly identified an email address associated with this specific date: justin.keller@logistics.com
.
Completing the Challenge
With the target email address in hand, I copied it and sent it through the company’s central communication panel to OWASP, successfully completing the challenge.
Key Takeaway: Beyond Common Attack Vectors
This challenge really highlighted the importance of thoroughly examining source code and utilizing powerful tools like web spiders to uncover hidden information and vulnerabilities. It reinforced that relying solely on common attack vectors like SQL injection isn’t always enough; sometimes, the solution lies in more fundamental reconnaissance and exploration.